Malware Trivia: Episode 9

We are familiar with the term IRC Channel. I want to know how safe it is to use, does it allows remote code execution and give access to the intruder. – Question asked by Indranil.

IRC has been one of the most popular means of communication prior to the emergence of instant messaging and social networking. Relay chat is based on the IRC protocol, as described in RFC 1459 and covers the specifications for a text-based communication protocol between clients connected through a network of servers.

Per se, the IRC protocol is safe to use and does not allow anything to pass except for text. However, just as a kitchen knife can turn into a deadly weapon if it falls into the wrong hands or gets used beyond any culinary scope, so can any communication protocol be used to send or receive unauthorized information.

The IRC protocol is widely used for botnet communication, as it is more facile than bots controlled via social networks, instant messenger or peer-to-peer. In order to control the computers in the botnet, a botmaster would instruct the malicious bots infecting these machines to join an IRC channel of choice and listen to the conversations. The botmaster also joins the IRC channel and starts issuing text-based commands to the bots. They will act accordingly, depending on what commands the bots support. For a simple overview on how the botnet communication works, have a look at this previous article on Malware City detailing on a botnet controlled via social networks. Bottom line, the IRC protocol is not dangerous, but malware communicating through IRC is.

Also I heard about cross-platform worms; what are they and how do they work on both platforms? – Question asked by Indranil.

Cross-platform worms are pieces of malware that work on multiple operating system platforms. While most malware specifically targets a operating system (or even better, a specific flavor of the operating system), some few specimens can actually circumvent this limitation. One of them is Trojan.OSX.Boonana.A, a worm-like Trojan written in Java™ which spreads via social networks. This kind of worms initially execute on the machine if the Java Virtual Machine is installed, then , depending on the operating system installed, fetch the right binary files from the web and install them on the computer. This was the case with Trojan.OSX.Jahlav.A, a piece of malware that can download either an .exe or a .dmg binary file depending on what operating system it is running on. Basically, cross-platform malware serves as a downloader for OS-specific e-threts, rather than inflicting damage by themselves.

Is the "top stalker" app malicious? But more than 85% of my friends are using it! Thank God I did not fall victim to it! Will you please tell me what that app actually does so that I may warn my friends? – Question asked by Jeet.

There are quite a number of malicious applications out there, and the “Top Stalker” is one of them. To be more specific, the “Top Stalker” app emerges, makes victims, gets suspended, and then re-emerges as a different application. In the meantime, the attackers have collected enough private data such as usernames, full names and associated e-mail addresses to sell as highly targeted spam lists, forced you into filling in useless surveys and (why not) expose your friends to the same risks. I’m not a social network expert myself, but the SafEgo facebook application developed by my colleagues helps me a lot to keep my account clean of the junk others may post and also allows me to protect others, should I post something dangerous to my contacts.

As for the last part of your question, most of these apps, including the “Top stalker” one, pull out basic account information such as name, e-mail address and location (some of them take even the phone number) and build geo-targeted spam lists. Others will simply take you to an external website where you will be fed surveys. When you’re done filling in the surveys, you will be presented with a list of random friends as “Top stalkers” and then the application will post on your wall the results, in order to lure your friends into the same trick.

Most security experts say that we humans are the weakest link to malware. Take the "Aurora" attack for example. So what would be your recommendation for general users to protect ourselves from 0day attacks? – Question asked by Jeet.

0-Day attacks don’t rely only on critical bugs in applications; they also have a social component. In order to exploit this kind of flaws, the attacker must initially lure the victim into visiting a webpage or opening a specific application. This is usually done via spam mail, but there have been instances (such as Operation Aurora) when the victims were hand-picked and conned into following the attack scenario. Once you’ve been tricked, the exploit triggers its payload, and that’s it, you’re done.

That is why I highly recommend thinking twice before opening an attachment in an e-mail message coming from unknown people, or clicking a link recommended by someone you don’t know. Also, an antivirus solution would make the difference between a nasty infection (followed by bank fraud or identity theft) and yet another day at the office.

You can efficiently protect yourself against 0-day exploits by installing an antivirus solution with (or accompanied by a standalone) spam filter. The spam filter will block potentially harmful messages, while the antivirus will likely trigger a heuristic or behavioral detection to intercept and annihilate the exploit’s payload. Last, but not least, make sure to update your software to the latest version available. Many times, 0-day exploits and vulnerabilities are successfully used weeks, months or even years after they have been patched. One example is the Conficker worm, which exploits a vulnerability in the RPC service that has been fixed years ago, yet still manages to infect computers all around the world.

Also I have heard of honeypots to lure hacker/malware. Will you throw a bit light on it? – Question asked by Jeet.

Honeypots are interesting and highly efficient methods of collecting malware and spam. Malware honeypots are unpatched and unprotected computers connected to the Internet for voluntary infection. A virus analyst collects the malware, analyzes and adds detection for the product. A spam honeypot is made of a multitude of e-mail addresses that collect spam for the generation of automated spam signatures. Usually, these addresses are used in forum profiles or left “unprotected” for the bad guys to harvest them and send unsolicited mail.

That’s it for today. Feel free to drop me your thoughts and questions using the comment form below. I’m looking forward to answering your other security questions. See you next week!

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.